CloudCheck Compliance Certification Program

Transcription

1 CloudCheck Compliance Certification Program Ensure Your Cloud Computing Environment is Secure with CloudCheck Certification Organizations today are increasingly relying on a combination of private and/or public cloud computing infrastructures to support their overall business requirements. Given an erratic global economy, this shift toward a virtualized world is inevitable, since it provides the efficiencies, flexibility and overall cost-savings that most businesses desperately need in order to remain competitive. Unfortunately, a side effect of this computing transformation is that the concept of an organization s network security perimeter is dramatically different, making it even more challenging to maintain the level of network security that is essential for ensuring regulatory compliance within cloud and/or hybrid environments. As industry analysts will attest, adequate cloud security continues to be the single largest impediment to widespread cloud computing adoption, since most businesses view the mitigation of risk within the cloud to be a daunting task one that requires substantial and knowledgeable IT resources in order to provide thorough planning, auditing, and increased visibility into the cloud s physical and virtual infrastructure. With this need in mind, Masergy has developed the CloudCheck Certification Program. CloudCheck Certification is a vendor-neutral services portfolio that provides comprehensive and cost-effective cloud security assessment and validation for organizations interested in taking advantage of the economies of scale that cloud computing affords. For businesses of all sizes, cloud computing represents the promise of lower cost while establishing the foundation for a new wave of innovation and growth. Concerns about security, however, are a key barrier to adoption that must be overcome to give organizations the confidence to place their business-critical applications and data in the cloud. Aberdeen s research has consistently shown that the most successful organizations ensure that their IT infrastructure is first secure, then compliant, and then work to improve operational efficiencies and reduce overall cost. Masergy s initiative to certify security and compliance for cloud computing environments aligns well with what we have seen as the best-in-class approach. - Derek E. Brink, vice president and research fellow for IT Security, Aberdeen Group CloudCheck Certification Program Overview The way in which an organization approaches compliance policy enforcement and validation changes as portions of the company s infrastructure migrates to the cloud. Specific compliance-based policies and processes relevant to a cloud environment are crucial for defining an organization s implementation of industry or government standards, regulations, and requirements (e.g., PCI DSS, HIPAA, NERC-CIP, etc.). Consideration of such compliance requirements is an integral component of Masergy s CloudCheck Certification Program. Masergy is working with SaaS providers such as Amazon Web Services (AWS) to provide additional security functionality to their cloud deployments, and the CloudCheck Certification Program is a continuation of that effort. It offers a comprehensive, step-bystep approach to compliance that incorporates security processes, policies, and technology to ensure that critical customer data

2 in the cloud is untouchable by unauthorized personnel. As part of this program, world-class security experts are available when you need them to perform periodic audits, monitoring and testing to help keep your systems up-to-date and secure. The CloudCheck professional services portfolio includes: Security Assessments gap analyses to evaluate cloud security policies, processes, people and products. Periodic Audits monitoring and testing based on compliance requirements to validate that a company s software, systems and security programs are up-to-date. Web Application Assessments monitoring and testing of user access privileges to ensure that only authorized users can gain access to sensitive system and user information. Vulnerability Assessments quarterly testing of the effectiveness of security measures to ensure that networked systems and high-risk data are secure. CloudCheck Certification enables businesses to authenticate the security of their cloud deployment through a unique security toolkit IDS/IPS, vulnerability scanning, and log monitoring and management services that validates actual application instances within a cloud environment. This advanced security capability is made possible by Masergy s Unified Enterprise Security architecture, which transparently attaches to each application instance in the cloud. It moves with the application, continually assessing the security posture of each individual cloud computing environment. Similar to the way vulnerability scanning, log monitoring, and IDS functions are utilized in a traditional premise-based security infrastructure, Cloud Guard virtual security products are deployed in a cloud environment in order to bond with each application and then assess and certify the security of a specific cloud deployment. Masergy s Cloud Packet Analysis Approach Integrated with Virtual Firewall to Block Malicious Traffic Network Traffic ECn ECn Unified Administration & Monitoring Firewall Network Behavior Analysis Threat Network Access Policy & Monitoring Suspicious Traffic Intrusion Detection Service Security Information/Event Vulnerability ECn Syslogs Network Access Violations Vulnerability Scanning Cloud Applications Masergy s CloudCheck Compliance Certification is based on a modular systemic architecture that utilizes 100% passive technology and is hybrid Cloud/CPE enabled.

3 CloudCheck Certification Levels The CloudCheck Certification Program is comprised of two certification levels. CloudCheck Silver Certification focuses on the required cloud security risk management administrative controls appropriate for an organization carrying out the necessary level of cloud-centric due diligence and due care. CloudCheck Gold Certification builds upon the services available at the Silver level, and adds additional technical controls that an organization should deploy when migrating applications to the cloud. CloudCheck Silver Certification An organization s security governance and management relative to its migration to cloud computing is thoroughly evaluated. For example, critical areas such as security policy, standards, and procedures are assessed. Other key areas that are evaluated include information classification and handling, training, and configuration management. Analysis of an intended cloud provider s policies, SLAs, and documented security infrastructure are also a key component of this assessment. All of these security governance considerations are assessed for optimum cloud computing security. An all too common misconception is that a network breach is a singular event that occurs during a brief period of time. In reality, 82% of successful breaches were actually preceded by a series of successive reconnaissance activities, intentionally spanning days weeks and even months in an effort to avoid detection. Data Breach Investigations Report CloudCheck Gold Certification Building on the CloudCheck Silver Certification assessment, Gold Certification includes an assessment of critical technical controls related to the cloud-computing infrastructure. Examples of these technical controls are encryption, anti-malware, access control, network monitoring, vulnerability scanning, and log monitoring. Masergy will deploy its unique Cloud Guard virtual security tools in order to perform this comprehensive security assessment. Based upon an organization s security assessment requirements, detailed penetration testing can also be added. These cloud-centric assessment tools provide Masergy with visibility into the physical and virtual layers of the cloud-computing infrastructure a capability that other vendors do not have. CloudCheck Certification Program Assessment Areas Security Policy Since the security policy is the document from senior management that drives the organization with respect to the role that security plays, it is important that this document be appropriately updated to include the organization s foray into cloud computing.

4 Information Classification Information must be classified according to its risk (i.e., financial information or cardholder data would be of a higher classification than customer names). Protection Information must be protected according to its classification level as defined in policy. Storage When necessary to store sensitive information (e.g., cardholder data), it must be encrypted according to its classification level. Transmission Information in transit must be encrypted according to its classification level. This is to include information transmitted between virtual machines located on the same physical device when the physical device is not dedicated to, or physically controlled by, the organization. Encryption All cryptographic operations must be performed using cryptographic algorithms and corresponding key lengths as specified in the approved cryptographic algorithms. Digital Network Protection In order to maintain the confidentiality, integrity, and availability of sensitive information, the following security controls must be in place within the digital network. Note that both the organization s network assets with access to the cloud, and assets leveraged in the cloud should be considered in scope for this assessment: ACCESS CONTROL Network Network-level access control must be in place to protect sensitive information on network assets from external and internal attacks. User User-level access control must be in place to provide users with the minimum level of access required to perform their job. Information Access to sensitive information must be limited by user based on business need, in accordance with policy. MONITORING Network All network traffic to and from assets which store, process, or have access to sensitive information must be monitored on a 24/7 basis. Logs All logging by assets which store, process, or have access to sensitive information must be regularly monitored. VULNERABILITY MANAGEMENT Regular Vulnerability Scanning (Network and Application Level) Network-level vulnerability scanning will be performed at an appropriate frequency, with approved scanning tools. Vulnerability Remediation A program must be in place to remediate any discovered vulnerabilities in a timely manner. Anti-Virus Anti-virus software must be in place on all assets, and virus signatures must be regularly updated. Penetration Testing (Optional) A penetration test should at least be performed annually, and any time there are significant changes occur on the network or in applications. The penetration testing must include web applications. CONFIGURATION MANAGEMENT Change Any changes must be documented and approved prior to being made. Patch A patch management system must be in place to test and apply operating system and application patches and updates in a timely manner. Password Vendor-supplied default passwords must not be used. Passwords protecting sensitive information must meet complexity requirements. Passwords protecting sensitive information must be changed minimally every ninety (90) days. PASSWORD STORAGE Passwords must not be stored in either plain text or in any format that is reversible. Instead, a cryptographic hash of passwords should be stored.

5 SOX Compliance Flexible Managed Services for Your Cloud Computing Needs Once you have the CloudCheck seal, you can keep your cloud computing solution operating at peak efficiency with our world-class 24/7 managed or co-managed services. You can cost-effectively allocate your internal resources and outsource network security requirements based on your company s specific needs. Additional Resources Contact Masergy Today For more information regarding our Unified Enterprise Security solutions, contact us at 1 (866) or visit us online at Best Products & Services Reader s Trust Award Network Products Guide has named Masergy a winner of the 2009 Best Products and Services - Reader s Trust Award for Unified Security Global Product Excellence - Customer Trust Award Info Security Products Guide has named Masergy a winner of the 2009 Global Product Excellence Customer Trust Award for Integrated Security Product Innovation Award Network Products Guide has named Masergy s Enterprise UTM++ a winner of the 2009 Product Innovation Award for the overall Security Solution (Hardware and Software) category. Masergy also receive the Product Innovation award in 2008 for its All-n-One Security Module for Enterprise UTM Tomorrow s Technology Today Award Info Security Products Guide has named Masergy s Enterprise UTM++ a winner of the 2009 Tomorrow s Technology Today Award for the Integrated Security Solution (Hardware and Software) category. Masergy has also received the Tomorrow s Technology Today award in prior years (2006, 2007 & 2008) for Unified Security, Network Security and Security Risk Managed Security Services. SC Magazine 2008 Industry Innovator SC Magazine has recognized Masergy for its industry innovation in the unified threat management category. Rev (866) MASERGY ( ) Masergy Communications, Inc.